Solution providers will resell assessment services

The security solution provider, based here, specializes in assessing the security of e-commerce applications for clients in financial services and other vertical markets. Icons now wants to expand its market reach by teaming with other consulting and integration firms to resell its application security services.

"If I'm a systems integrator hired by a large firm to produce an e-commerce site, I'll be engaged for up to a year. Somewhere along the line, that client will ask the integrator to comment on security," said Paul Rohmeyer, COO of Icons.

Icons creates tiered channel program based on partner commitment. It hopes to sign 40 partners.

Icons can provide security expertise by inspecting an application's design and looking at how it applies encryption, access controls and other security measures, he said.

A third-party security review provides credibility for the integrator's work and avoids conflicts of interest, Rohmeyer said. "There can be no appearance that the designers have hidden anything," he said.

To build a channel for its professional services, Icons created a tiered partner program based on level of commitment and hired a marketing director. The firm hopes to sign about 40 partners this year, Rohmeyer said.

Icons is recruiting a variety of partners, including some companies that might appear to be competitors, said Icons CEO Sanjay Kalra. Security is a broad area, however, and Icons' application security focus can complement another firm's area of expertise, he said.

"We have a service that they don't offer and vice versa," he said. "They have a service that we don't have and we'd like to offer."

While Sun Tzu could offer Icons' application security services, it would also look to Icons as a channel for its 24x7 managed network security services, Proactive Information Security Monitoring (PRISM), Wells said.

Sun Tzu sees a potentially strong market for application security among its SMB customers, Wells said. Attackers can break into a network through a hole in an application, and Icons has built a reputation in securing applications, he said.

Rohmeyer said customer interest in application security assessments has grown over the past six months as companies roll out B2B and B2C sites.

Plus, system breaches have become more sophisticated over the past 18 months, raising security awareness in the enterprise and prompting companies to look beyond network-based assessments to application-based ones, Kalra said.

Another security consulting firm providing application security is @stake, Cambridge, Mass. Earlier this year, the company disclosed the results of research it's been doing. According to @stake, the typical e-business application is at risk because of security flaws introduced early in the design cycle.

Icons follows an assessment approach based on the National Security Agency's Information Assurance Methodology (IAM), a systematic way of examining cyber vulnerabilities.

Icons examines critical parts of an application and technical architecture, including business processes that the application system supports, code review, programmatic controls and privacy requirements.

The partner model works well in security, where organizations turn only to parties that they trust, he said. "If I'm brought in as partner by a company that's already engaged with that client, it goes a long way toward establishing trust," Rohmeyer said.